A mass spear phishing attack could await victims of the recently publicized data breach at discount online broker TD Ameritrade, IT security experts said this week.
The Omaha, Neb.-based brokerage revealed on Friday that the names and contact details for some 6.3 million customers was exposed when hackers infiltrated a database. No Social Security numbers, account information or other sensitive information was hijacked in the attack, discovered by the company several weeks ago.
But the information pilfered could still be used to propagate identity theft, experts from Sophos said Monday.
“Hackers are now in possession of 6.3 million email addresses for people that they know are interested in trading shares,” Graham Cluley, senior technology consultant for Sophos, said. “This knowledge alone could spur the creation of highly targeted spam emails,” such as pump-and-dump scams.
Carl Banzhof, vice president and chief technology evangelist at McAfee, told SCMagazineUS.com today that the cyberthieves likely used SQL injection tactics to infiltrate the database, harvesting email addresses.
“Once you have that information, you can craft an email message that looks very convincing to a customer and trick them into giving up more information,” he said.
TD Ameritrade said it discovered the breach after customers told the company they had received spam offering unsolicited investment advice. Company spokeswoman Kim Hillyer told SCMagazineUS.com today that a small number of clients notified Ameritrade about the junk mail.
“Through the course of investigating that, a few weeks ago, we discovered unauthorized code on our system,” she said.
But the online brokerage’s knowledge of the breach may go back to last October, according to published reports. That is when New York lawyer Scott Kamber filed a class-action lawsuit on behalf of customers who had received stock-related spam.
The plaintiffs filed a motion last month that would have required Ameritrade to notify customers about the breach, but before a hearing could be heard the company disclosed the incident.
Meanwhile, Edward Ray, chief information risk strategist at Getronics, a global IT services firm, told SCMagazineUS.com today that TD Ameritrade may have deliberately turned a blind eye to the reports of spam from their customers.
“It’s one of those situations where Ameritrade wasn’t losing any money and they decided they didn’t want to do anything about it,” he said. “And if [the spam messages] convince people to buy and sell stock, that’s money in Ameritrade’s pocket. Either they knew about it and were colluding, or they knew about it and didn’t care. Take your pick.”
Hillyer said the company took the reports seriously and began investigating the cause.
“Obviously we’re concerned if our clients’ information is getting out,” she said.
Banzhof said it may have taken Ameritrade a long time to confirm an attack took place.
“Even though you’re getting feedback from your constituents that something is going on, it’s buried in so many lines of code, it’s hard to find,” he said.
This multi-stage attack is similar to the recent theft at Monster.com in which thieves stole the email credentials of some 1.3 million job seekers.
Ray said controls should have been in place to prevent the Ameritrade compromise.
“One would assume that in this day and age of Sarbanes-Oxley and other regulations, [Ameritrade] would have human beings and physical hardware and software in place to detect this sort of thing,” he said.